VMware Tunnel Proxy can be configured using either of the following two configuration models:
Basic Endpoint (single-tier) using a VMware Tunnel Proxy Endpoint
Relay-Endpoint (multi-tier) using a VMware Tunnel Proxy Relay and VMware Tunnel Proxy Endpoint
Source |
Target or Destination |
Protocol |
Port |
Verification |
Notes |
---|---|---|---|---|---|
Devices (from Internet and Wi-Fi) |
VMware Tunnel Proxy Endpoint |
HTTPS |
2020* |
Run the following command after installation: netstat -tlpn | grep [Port] |
Devices connect to the public DNS configured for VMware Tunnel over the specified port. |
VMware Tunnel Proxy Endpoint |
AirWatch Cloud Messaging Server |
HTTPS |
SaaS:443 On-Premises:2001* |
curl -Ivv https://<AWCM URL>:<port>/awcm/status/ping The expected response is HTTP 200 OK. |
For the VMware Tunnel Proxy to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2. |
VMware Tunnel Proxy Endpoint |
UEM REST API
|
HTTP or HTTPS |
SaaS:443 On-Premises:2001* |
curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized |
The VMware Tunnel Proxy must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to [Groups & Settings > All Settings > System > Advanced > Site URLs] to set the [REST API URL]. This page is not available to Workspace ONE UEM SaaS customers. For Workspace ONE UEM SaaS customers, the [REST API URL] is most commonly the [Console URL ]or [Devices Services URL]. |
VMware Tunnel Proxy Endpoint |
Internal resources |
HTTP, HTTPS, or TCP |
80, 443, any TCP |
Confirm that the VMware Tunnel Proxy Endpoint can access internal resources over the required port. |
For applications using VMware Tunnel Proxy to access internal resources. Exact endpoints or ports are determined by where these resources are located. |
VMware Tunnel Proxy Endpoint |
Syslog Server |
UDP |
514* |
||
Workspace ONE UEM console |
VMware Tunnel Proxy Endpoint |
HTTPS |
2020* |
On-Premises† customers can test the connection using the telnet command: telnet <Tunnel ProxyURL><port> |
This is required for a successful "Test Connection" to the VMware Tunnel Proxy Endpoint from the Workspace ONE UEM console. |
Source |
Target or Destination |
Protocol |
Port |
Verification |
Notes |
---|---|---|---|---|---|
Devices (from Internet and Wi-Fi) |
VMware Tunnel Proxy Relay |
HTTPS |
2020* |
Run the following command after installation: netstat -tlpn | grep [Port] |
Devices connect to the public DNS configured for VMware Tunnel over the specified port. |
VMware Tunnel Proxy Relay |
AirWatch Cloud Messaging Server |
HTTP or HTTPS |
SaaS:443 On-Premises:2001* |
curl -Ivv https://<AWCM URL>:<port>/awcm/status/ping The expected response is HTTP 200 OK. |
For the VMware Tunnel Proxy to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2. |
VMware Tunnel Proxy Relay |
UEM REST API
|
HTTP or HTTPS |
SaaS:443 On-Premises:2001* |
curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized The VMware Tunnel Proxy Relay requires access to the UEM REST API only during initial deployment. |
The VMware Tunnel Proxy must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to [Groups & Settings > All Settings > System > Advanced > Site URLs] to set the [REST API URL]. This page is not available to Workspace ONE UEM SaaS customers. For Workspace ONE UEM SaaS customers, the [REST API URL] is most commonly the [Console URL ]or [Devices Services URL]. |
VMware Tunnel Proxy Endpoint |
UEM REST API
|
HTTP or HTTPS |
SaaS:443 On-Premises:2001* |
curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized The VMware Tunnel Proxy Relay requires access to the UEM REST API only during initial deployment. |
The VMware Tunnel Proxy must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to [Groups & Settings > All Settings > System > Advanced > Site URLs] to set the [REST API URL]. This page is not available to Workspace ONE UEM SaaS customers. For Workspace ONE UEM SaaS customers, the [REST API URL] is most commonly the [Console URL ]or [Devices Services URL]. |
VMware Tunnel Proxy Relay |
VMware Tunnel Proxy Endpoint |
HTTPS |
2010* |
Telnet from VMware Tunnel Proxy Relay to the VMware Tunnel Proxy Endpoint on port 2010. |
To forward device requests from the Relay to the Endpoint server. This needs to support a minimum of TLS 1.2. |
VMware Tunnel Proxy Endpoint |
Internal resources |
HTTP, HTTPS, or TCP |
80, 443, any TCP |
Confirm that the VMware Tunnel Proxy Endpoint can access internal resources over the required port. |
For applications using VMware Tunnel Proxy to access internal resources. Exact endpoints or ports are determined by where these resources are located. |
VMware Tunnel Proxy Endpoint |
Syslog Server |
UDP |
514* |
||
Workspace ONE UEM console |
VMware Tunnel Proxy Relay |
HTTPS |
2020* |
On-Premises† customers can test the connection using the telnet command: telnet <Tunnel ProxyURL><port> |
This is required for a successful "Test Connection" to the VMware Tunnel Proxy Relay from the Workspace ONE UEM console. |
[NOTES]
* This port can be changed based on your environment's restrictions.
† On-Premises means the location of the Workspace ONE UEM console.
‡ For SaaS customers who need to whitelist outbound communication, refer to the VMware Knowledge Base article that lists up-to-date IP ranges: https://support.workspaceone.com/articles/115001662168-.